Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Ben Rothke writes "It is 2008
and never has so much been spent in information security.
Year after year, more and more security hardware and software is
purchased, more and more security professionals are hired, and more security
is done; yet things are not getting better. Every
indicator, every pundit, everything points to more security breaches,
vulnerabilities and incidents. Large amounts of
proprietary data are compromised on a daily basis.
Obviously something is wrong, yet the entire industry goes along
thinking things are getting better and more secure.
Obviously something needs to change. And
that new change is what The New School of Information Security
attempts to conceive."

The New School of Information Security

author

Adam Shostack and Andrew Stewart

pages

288

publisher

Addison-Wesley

rating

9

reviewer

Ben Rothke

ISBN

978-0321502780

summary

Information security is highly broken; this book suggests a realistic fix.

Far too
much of the security industry has its roots in FUD.
Billions of dollars of information security
products have been sold, and for what? The
book asks why is information security so dysfunctional and why companies are
often wasting so much money on security.
So what is this thing called the new
school? The authors define it as neither a service
nor a product; rather it is a new approach that uses the scientific method and
objective data. This in turn gives an entirely new
perspective from diverse fields to make effective security
decisions. The authors
rightly believe that when objective data is used, it enables better
decision-making.

The
New School of Information
Security
is a ground-breaking text in that it attempts to remove the reader from the
hype of information security, and enables the reader to focus on the realities
of security. The fact that such
a book needs to be written in 2008 shows the sorry state of information
security.

The book
starts out with observations of why there are so many failures within
information security. Anyone with experience in
security can easily relate to these issues. One
recurring theme throughout the book is that poor data, be it research or
advertising negatively effects the state of security.
The authors astutely note that security advertising often does a
disservice to the security field because it glosses over complex problems and
presents the illusions of a reality in which a security panacea
exists. It makes the buyer believe they can reach
that panacea by using their service or purchasing their
product.

In creating
their new school, the authors have no qualms in attacking the dogma of the
current state of information security. From
Gartner to the Executive Alliance and more, the
authors show that these groups and more often suffer from issues such as bias,
lack of a scientific method and more. The book
notes that the search for objective data on information security is at the
heart of the philosophy of the new school. Since
there is a drought of objective data today, the book asks how can we know that
the conventional wisdom is the right thing to
do? The observation is that the current
state of affairs is unsustainable for the commercial security industry and for
security practitioners.

The title
of chapter 5 gives away the theme of the book — Amateurs Study
Cryptography — Professionals Study Economics.
The idea is that information security must do a
better job of embracing such diverse fields as economics, psychology,
sociology and more, to make effective decisions.

In some
ways, the authors are perhaps too aggressive in their desire for security
statistics. One of the most scientific approaches
to information security is from CERT
(www.cert.org).
Yet the authors are not satisfied with
CERT's findings that the majority of incidents appear to be insider
based. Given what data and statistics we have
in 2008, the figures from CERT are certainly good enough.
Yes, they could be better, and yes, breach data is not actuarial data,
but given the data from CERT, combined with recent news and court cases (UBS,
Société Générale,etc.) clearly show that insiders are the most insidious
threat.

Also, while
the current state of information security is indeed less than perfect, the
authors are a bit too condescending of areas where security is formalized (ISO
27001, etc.), yet not perfect.

After years
of countless 1,000+ page massive security books, The New School of
Information Security succinctly spreads its message in a brief 160
pages. In those 160 pages, the author's detail at a
high-level what needs to be done to create this new
school. Therein lays the books only flaw, its
brevity. The authors want to get the concept of the
new school out there, but they do not detail enough of the necessary
requirement to make it work. They show with clarity
how things are broken, but don't do enough to show how to fix it.
Let's hope the authors are at work on a follow-up
writing those necessary additions.

Some
Slashdot readers are likely to question how an author (Shostack) can write a
book on security while being employed by Microsoft.
Even with all its security issues, what many do not realize is that no
software company has spent more on security in the past decade than
Microsoft. Indeed they have a lot of catching up to
do, but it is being done. Put another way,
Microsoft has likely spent more on security than China has spent on
democracy.

Too much of
information security is clearly broke and The New School of
Information Security is about fixing it. The
author's pragmatic approach is a refreshing respite from years of security
product based FUD and silver-bullet solutions.
The approach of the new school is one
that screams out to be put into place. It is the
job of today's CISO's and CIO's to heed that call, take the initiative, and
lead their organizations there.
Either they graduate their staff from the
new school, or we are faced with more decades of information security
failures.

Let's hope
The New School of Information Security is indeed a new start
for information security. The book is practical and
pragmatic, and one of the most important security books of the last few
years. Those serious about information security
should definitely read it, and encourage others to do the
same.

In my opinion, one of the most worrying trends in the computer security world was Bruce Schneier's turn from crypto guru to security consultant. He now gives only vague pronouncements of security, doesn't seem to seek to empower the community, and his books like Secrets and Lies [amazon.com] seem designed to sell Counterpane's services. Has lessening interest in widespread use of crypto led to security experts closing themselves off in consultancy bubbles?

I think what's likely is that Schneier realized that availability of good crypto isn't the only link in the security chain, and it's probably been a while since it was a candidate for weakest link.

Hence the discussion about how security as a field is reaching out to other disciplines -- organizational behavior and sociology and economics are essential because you're looking at the problem of why business organizations don't do well at security, and it isn't just a technical matter.

I used it because I think it is valid. If you force people to register for a chance to win something it is quite often that those not cognizant of the dangers will use their common login credentials which they use for everything, including work, their bank account, their mortgage etc. A malicious piece of code need only scan briefly for details regarding banks visited etc. to try to use those login credentials elsewhere.The number might not be as high as the 20+% quoted, but then even if it is only 3% it is

> one of the most worrying trends in the computer security
> world was Bruce Schneier's turn from crypto guru

The title of chapter 5 gives away the theme of the book -- Amateurs Study Cryptography -- Professionals Study Economics.

In other words, most of our security problems aren't rooted in flawed cryptography, they are based on the flawed allocation of resources and general human fallibility.
Good luck with your studies young man. Perhaps you can fill that hole you think Bruce Schneier has left.

In other words, most of our security problems aren't rooted in flawed cryptography, they are based on the flawed allocation of resources and general human fallibility.

I'm note sure about that. I think the biggest issue is the "monetitization" of "cracking". This stuff used to be done for fun and thrills, geek cred, etc. Now a huge Botnet is a cash cow, criminal organiztions pay money for comprimized ID's & CC #'s. Yes, human fallibility plays into this, but the premise that the resources being spent on security are wasted is nonsense

Perhaps you can fill that hole you think Bruce Schneier has left.

Agreed. While crypto has its place, it's a very small piece of the security pie. Firewalls, Anti-malware, policy enforcement, anti-

n other words, most of our security problems aren't rooted in flawed cryptography, they are based on the flawed allocation of resources and general human fallibility. Good luck with your studies young man. Perhaps you can fill that hole you think Bruce Schneier has left.

Why is it that everyone who posts on security is immediately compared to Bruce in derogatory terms? He certainly isn't the most influential practitioner within the field and he does not try to be. His focus is on describing what is reasona

who would you say the most influential practitioner within the field is?

I had the pleasure of hearing Adi Shamir [wikipedia.org] give a number of talks about his recent work at the Weizmann Institute. I think he's definitely a more influential figure than Schneier (albeit less well-known by the public). I don't think I'm informed enough to say he's "the most" influential though.

Ahem. Schneier's change of focus is not a "trend."However, there is a "trend" of people in our industry abusing terms like "trend" and horribly mangling the underlying concepts and mathematics. This is why this book sounds so good to me: No more FUD. Just the facts.

The difference between the rich and the poor is greater than ever, and power over the unwilling must be maintained through security.

What... criminy... can you put down your Karl Marx for a second and look at the reality.

The solution is to re-engineer the economic system, to prevent people from having the capability of getting so rich that poor people feel they are better off attacking or exploiting the system than they are living within its boundaries.

There's always going to be jealousy and that jealousy is more the fault of the have-nots than the haves. Guess what? If you are stupid, you will not get rich.

I always love how socialists argue that we are too caught up in property while they, more than anyone else, continually keeps score on who has what.

Don't you think this generalizes just a little bit? My guess would be that out of the, you know, billions of poor, their poverty is more a result of circumstance than being "stupid." Hard for everyone to be smart w/out food, water, sanititation, rule of law, or school.

The difference between the rich and the poor is greater than ever, and power over the unwilling must be maintained through security.
What... criminy... can you put down your Karl Marx for a second and look at the reality.
The solution is to re-engineer the economic system, to prevent people from having the capability of getting so rich that poor people feel they are better off attacking or exploiting the system than they are living within its boundaries.
There's always going to be jealousy and that jealo

Sorry, but some fairly basic stats work will show that though your statement is correct, it could equally apply to intelligent people, ambitious people, basically anyone. The socialist objection is that for any randomly chosen person, no matter what that person does, her odds of getting rich are essentially nil, and the current economic system is rigged to maintain that status quo.

The socialist seeks to find the regulatory changes that would make the economic system more equitable. I for one don't thi

The socialist objection is that for any randomly chosen person, no matter what that person does, her odds of getting rich are essentially nil, and the current economic system is rigged to maintain that status quo.

But the flipside is that, even if a person does not get rich, if he works hard and works smartly, he or she will inevitably improve himself or herself. I've got one statistic that proves that point undeniably - education. People with degrees tend to earn far more over a lifetime than people that

But the flipside is that, even if a person does not get rich, if he works hard and works smartly, he or she will inevitably improve himself or herself. I've got one statistic that proves that point undeniably - education. People with degrees tend to earn far more over a lifetime than people that don't. Those people that went to college either worked harder, or worked smarter, made a commitment and invested themselves, and yes, they do finish on top.

This only applies to people with access to education, whether that access is economic or geographical. My thinking isn't just about the average North American who has a school down the street and a community college in the next town over. I'm thinking about the "superghettos" that are growing in cities all over Africa, South America, Asia, where millions of people per city are packed into neighbourhoods consisting of cardboard or mud shacks.

I'm thinking about the "superghettos" that are growing in cities all over Africa, South America, Asia, where millions of people per city are packed into neighbourhoods consisting of cardboard or mud shacks.

Lawful societies and free trade fix that. The UN calls for something like 1% of GDP in the form of a charity black hole and really, even the so-called carbon tax is really just a disguised attempt to shuffle money to the third world, but, ultimately, meaningful trade is what will elevate these people.

Disproof by contradiction [wikipedia.org].
And just in case you decide to say that "getting rich" doesn't include inheriting (even though inheritance is the biggest factor in persisting inequitable distribution of wealth), note that Ms. Hilton probably earned about $7M in 2005-06.

And, not only is your case weak as a generalization, it might even be weak in that instance. Is Paris Hilton stupid? She might not know calculus, but, she has managed to turn herself into a highly profitable brand. There's some brains in that, for sure.

There's always going to be jealousy and that jealousy is more the fault of the have-nots than the haves. Guess what? If you are stupid, you will not get rich.

I would argue that economic factors play a much larger role than some notion of "intelligence". Sure there are plenty of drug addicts that rob random people to get their next higher fix, but a large portion of crime, especially information crime is done by intelligent people who simply have a hard time making a decent living by more conventional means

Misappropriated? That's a rationalization. They do it because they rationalize their own bad decisions into a sense of victimization and convince themselves they are entitled to do something wrong.

No. They decide that the prevailing social contract is not one they are prepared to accept. Law and order is not an inviolate thing. It is a social contract, agreed to by all participants in the society. If you agree to be a part of the social contract, it is wrong to violate it. If you do not agree to it,

That was obviously a very heartfelt post. It's a shame you don't have the first clue what treason actually is.Being that you're an American, treason in your country is defined in this way:

-//-Treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort. No Person shall be convicted of Treason unless on the Testimony of two Witnesses to the same overt Act, or on Confession in open Court.

In other words, treason is a crime that does not exist except where there is war.

Well that's the point, and you missed it. If you declare yourself a non-citizen of a country, than, your act of inhabiting its lands while refusing to obey its laws is an invasion. That makes you in a state of war against the country, and it against you, satisfies your argument that requires a state of war for treason to exist, and makes you a traitor.

Your point wasn't missed. It was wrong.War must be declared between two nations. Even if some foreigner wanders into the country without getting stopped at the boarder and kills a thousand people, that still isn't an act of war unless it was sponsored by a foreign nation. By definition, war can only exist between two nation states.

Aside from a big discussion about what treason is or isn't, you are placed in this position:

I say there are circumstances in which actions that you label as treason are justifi

War must be declared between two nations. Even if some foreigner wanders into the country without getting stopped at the boarder and kills a thousand people, that still isn't an act of war unless it was sponsored by a foreign nation. By definition, war can only exist between two nation states

War can be between a nation and any group of people, from one to many, that decides to make war on it. I can declare war on the USA right now, if I wanted to, and you can too. In fact, there are individual Americans w

In the 1960s, when America was enjoying successful capitalism unequaled since, top executives made about 35 times as much as line workers. Now, as our dollar sinks along with our position in the world, top executives make over 350 times as much as their line workers.The last time income distribution was as skewed to the richest 1/10th of 1% as it is now was at the beginning of the Great Depression. Because capitalism failed then, we got all these socialist New Deal programs foisted on us. The hard-core Marx

Disproof by contradiction [wikipedia.org]. And just in case you decide to say that "getting rich" doesn't include inheriting (even though inheritance is the biggest factor in persisting inequitable distribution of wealth), note that Ms. Hilton probably earned about $7M in 2005-06.

The disprove case is weak. It's like arguing that global warming isn't happening because it snowed later in one part of the world. By and large, most people get ahead in life because they work smarter or harder. Being evil is lar

In the 1960s, when America was enjoying successful capitalism unequaled since,

Well, there were some special circumstances... like, all of our rivals were either firebombed - ala europe or japan, broke, like the UK, or didn't want any economic ties, like the Soviet bloc. So there was -only- American manufacturing...

and even then, if everyone was so happy, why were there so many riots?

I always love how nut job capitalists think if you are poor then you deserve to live without dignity or the ability to make ends meat.

Did I say that? I said that poor people are often poor because of the choices that they make. That's not the same as saying they don't deserve to eat. Why is it that the sense of entitlement has to be buoyed by victimization?

Throwing more "experts" at the problem doesn't make the problems go away. Just like making passwords more complex doesn't seem to increase security, especially when the average user doesn't seem to be getting any better (still writing password on post-its, etc)

Security exploits (and exploiters) will always tend towards the path of least resistance, and that is the end user. It will always be easier to exploit human weaknesses than computer system weaknesses. One can 'educate' a firewall for example through patches or rules and this will often be 'good enough'. On the other hand, one can educate a human, and they will be highly inconsistent (and often times down right stupid) in adapting what they learn into practice.Security systems need to be equally hardware an

I agree completely with this, at university I was given a random 8 digit password consisting of letters, letters (small and upper) and symbols. Because the systems demanded all of them I kept it.

Unfortunatly where I work most passwords have to conform to the same standard but must be rotated every 3 months and can't repeat for a year. Next month I reach the point where I'm going to have to make something up and most probably I'll have to write it down (ran out of permutations.)

I don't think the parent is talking about standardizing his password across every service he uses. I think he's talking about standardizing what a password can consist of and what constitutes a standard length, and a *tiny* bit of sanity regarding human factors in memory and use.

I understand in practice that might allow people to collapse to a narrow set of passwords. But I think it's also possible that this kind of standardization could allow people's ideas about what constitutes a good password to coalesce around a few basic points, which might let them more readily create a few.

And the parent is absolutely right that rotating random strings of characters every three months presents a use problem. One type of security analyst might say "suck it up, there's a tradeoff between security and use," and if you can get the user to suck it up and that works in the context of the organization, that's great. But if not, this brings us to the point in the "Amateurs study crypto, pros study economics" phrase. If you really want a secure system, solve both problems. Provide the user with some security practice that isn't going to cost him cycles the operation of the organization is going to demand he use somewhere else.

Standardization of passwords is just a work-around (and a dangerous one). The real problem is the appalling lack of single sign on. There are tons of commercial and free implementations of LDAP and other Directories, and a lot of major applications support them. However, it is very difficult to convince developers of small project to get on board and it is very difficult to convince admins and architects the importance of single sign on. With a decent sso system, you wouldn't have to make your passwords

Writing passwords on post-it notes isn't a bad idea. Leaving the post-it notes with passwords outside of your control is what's bad.I write passwords on post-it notes all the time (I use post-its only because of the stigma--I could just as easily use index cards.) You know what I do with them? I put them in my wallet. I've had a couple of decades of training on keeping tabs on my wallet, so I'm not concerned about it. And if someone is going to rob me, or break into my house in order to get passwords,

Well, that's not an option for many of the systems to which I have logins. Also, fingerprint biometrics are so easily defeated that we aren't adding much security here. I haven't read much on other forms of biometrics, but I do know enough to know that revocation in the event of compromise is pretty harsh.

I'm not aware of any cases of break-ins involving fingerprint biometrics, if that's what you're asking for. But just because it hasn't happened (or been reported on) does not mean that they are secure.

You only asked for non-lab examples. There have been multiple, independantly run tests of the technology and how it can be fooled. As I said in my reply, that it hasn't been done in the field is not pertinent.

Throwing more "experts" at the problem doesn't make the problems go away. Just like making passwords more complex doesn't seem to increase security, especially when the average user doesn't seem to be getting any better (still writing password on post-its, etc)

The obfustication of passwords started in 1990 or thereabouts when crack first appeared and there was a need to strengthen the passwords to prevent the brute force attack taking less than a day.

One crippling problem with gathering hard numerical data about security is that so many incidents go unreported. A few make it into books, a few make it into the press, but most are solved internally.

If you have a fire, the fire department will write it down and it will go into national statistics that fire insurance companies can bet money on. If you have a security breach, would you even try involving law enforcement?

Another hassle is that so many of the costs are hard to quantify. Loss of revenue after a fire is something you can pin down. Loss of reputation or consumer confidence after a breach? The numbers will be uselessly fuzzy.

If you have a security breach, would you even try involving law enforcement?

With all the stories of police seizing computer equipment in criminal investigations and then never returning it, even after years have gone by and even if no one was found guilty, I'd be reluctant to involve the police.

Microsoft actively makes it worse, with fundamentally insecure designs like ActiveX, and the most unnecessarily complex systems on the planet.

When I started having to reinstall user's computers because a bug in Internet Explorer made the Control Panel break so badly I couldn't even bring it up to back it out in safe mode I decided they'd created a whole new kind of complex system event horizon.

The issue is not how we handle security, but rather a fundamental flaw with the technology itself..Meaning, the design of files themselves make it too easy to copy them. Also, trying to slap on some sort of encryption layer is laughable at best because once the encryption is removed all security goes along with it.

In my opinion, as an industry we need to re-examine how documents are managed. I suspect a considerably better approach is more of a "looking glass" to managing data where instead of actually h

In my opinion, as an industry we need to re-examine how documents are managed.

And what's the cost benefit of that? You are talking about security and secrecy but really at the price of throwing innovation and efficiency out the window.

How can anyone on slashdot in their right mind be so dull-wittingly committed to doing in IT the very things that caused so many societies to fail! Secrecy and an atmosphere of secrecy, authentication at every turn,... my god, we have turned information into a virtual polic

I think I understand your argument, but it sounds more political than technology in nature... Also, I know my history well and it certainly does not backup that secrecy makes societies fail. Early Germany certainly did not fail because of secrecy, but rather because they had a madman at their helm. Soviet Russia just had an unsustainable government structure... The US economy is currently failing not because of our secrecy, but rather because we want to try grow our economy on the ever continued consum

Germany certainly did not fail because of secrecy, but rather because they had a madman at their helm. Soviet Russia just had an unsustainable government structure... The US economy is currently failing not because of our secrecy, but rather because we want to try grow our economy on the ever continued consumption of debt...:)

Well, part of the consequence of Germany having a madman at the helm was that there were a number of different weapons projects, all running in parallel and in secret from each other.

I agree and disagree.1. Sometimes the need for secrecy outweighs the need for "innovation and efficiency."

2. People have plenty of data and are empowered to make decisions. But they don't know what to do; there is a fundamental education gap. These are the people who run random attachments they get from someone named "xplurg bffrgis" offering them "v14g r a." You think they're really equipped to make decisions on security?

The thing is, security is a risk management discipline. Most applications thereof

In my understanding, most sensitive data is stolen from improperly configured applications that permit access to weakly secured databases. See TJX for an example. File permissions have nothing to do with this (except on a very low, irrelevant level).

This is a people problem. People write bad code, configure servers poorly, and manage security inefficiently.

You'd still be moving the document, of course -- just, in this case, as a bitmap -- possibly JPEG-compressed. And if you're X-forwarding, then the text is actually available, in fact.

The problem is basic to the technology, but I think it's much more fundamental.

Analog electronics had a problem: Data was degraded as it was processed. Digital electronics solved the problem -- by copying the data in order to restore it at each step. Copying is inherent to the nature of digital technology. The minute

---I'm thinking this basic idea is a large part of the MPAA's motivation the move to higher and higher HD, for instance; in the extreme, they could give up on encryption, and replace it with a known nontrivial problem: Downsampling and recoding video. It's not quite the same magnitude as factoring products of large primes, but it's still a computational pain in the butt when you're talking about a 50GB Blu-Ray disc.I think its fair to say that even if cpu speeds hold steady, our cores will grow. Given that,

"Even with all its security issues, what many do not realize is that no software company has spent more on security in the past decade than Microsoft."
I guess that goes to show us that security is one problem you can't just throw money at and make it go away.

I guess that goes to show us that security is one problem you can't just throw money at and make it go away.

Well, it will be a long time before anyone figures out how to make security problems go away. Microsoft has really increased the security of their systems over the past couple of years, so while throwing money at it isn't making the problem go away, it has certainly seemed to help a bit.

The authors astutely note that security advertising often does a disservice to the security field because it glosses over complex problems and presents the illusions of a reality in which a security panacea exists. It makes the buyer believe they can reach that panacea by using their service or purchasing their product.

MARKETING causes problems?!! I'd have never dreamed of such a concoction of lunacy! This guy wants to make us think we'd actually be safer without the Nortons and McAfees of the world. I tell you this buddy, you can pry my annual $50 subscription from my cold dead hands!! I say we hunt down this guy with torches and rope in hand!

No,I do not work for Norton. What a silly question. That thousand bucks the guy in Norton shirt just gave me is totally normal, so never you mind it. Anyways, lynch the heretic!

I think I'd beg to differ. Consider the growth rate of deployed systems and data, and compare to the number of security incidents. I think someone could make a strong argument that it IS getting better, proportionately. The internet has such impressive growth, it's hard to notice the change. Check out any sites with historical trends of reported security incidents (dshield.org, cert.org, whomever). They all show very large growth rates up until 2006, where they tend to level off. The internet didn't stop gr

Engineers became engineers because they have no social skills.
What? Don't like generalizations? Don't think anyone can read someone's mind, let alone a whole group of people? No? Then don't be part of it.
Jus' sayin'

I've been saying for years: More computer security is notbetter computer security!

Most security can sometimes even lead to less security! A system that is too hard to access because of it's security will eventually be bypassed by the normal users, leaving you with a bigger security hole is one example of this. Customers who put three different firewall programs on their computer, plus the one on their router is another example.

True for programmers as well: if the system makes it hard to program secure applications, it won't be done. There's a nice paper (pdf) that explains why programmers don't use the principle of least privilege [stanford.edu] (hint: with the current POSIX API, it's too complex and non-portable, and thus only a few programmers do it, basically in an ad-hoc fashion).

I seriously believe that one of the reasons throwing money at the problem hasn't been working is that people who are implementing these things aren't the best possible candidates.

How many IT projects have you worked on where the company hires one of these huge consulting firms, spends millions of dollars, and still has problems after all is said and done? I think one of the problems is the business model of these firms. The head schmooze crowd takes the CIO for a round of golf or two, and convinces them that the firm is the answer to all their security questions. The next day, a bunch of barely-trained "security consultants" descend on the company and begin making all sorts of recommendations/purchases. Sounds cynical, but I've seen it many many times. It's also applicable for any system replacement project, development project, etc.

The other problem is marketing of security products. How many times have you heard from a relative, "Oh, I've got Norton Internet Security, I'm safe." Vendors have a lot of people convinced that if they install their toolset, they can totally drop their guard.

How many IT projects have you worked on where the company hires one of these huge consulting firms, spends millions of dollars, and still has problems after all is said and done?

Not worked on but have been the unfortunate recipient of having to use them. First it was SAP. What a horrible piece of shit. Nearly every day we get calls from people who can't access the system and it's because the system can't handle all the requests from people processing travel vouchers, time requests, etc.

I seriously believe that one of the reasons throwing money at the problem hasn't been working is that people who are implementing these things aren't the best possible candidates.

It's a specific case of a larger problem: when it comes to hiring (whether a consultant or employee), "it take one to know one." If you don't have a good eye for quality industrial design, how will you be able to pick out a good industrial designer? If you don't really know something about information security, how will you recogni

I seriously believe that one of the reasons throwing money at the problem hasn't been working is that people who are implementing these things aren't the best possible candidates.

In larger corporations, especially where the regulatory environment is a driving factor, you might find that money isn't being thrown at security, but rather compliance. As ErichTheRed points out, there is no shortage of these silver bullets being purchased from executives who don't know better.

Computer security begins and ends with the user common sense. If the user is not informed on common data security practices, up to date exploits, viruses, mal-ware, spyware, what have you, then they don't really have sense enough of where to start in the first place. Sure, you can buy yourself all the Anti-virus protection you want, but that isn't going to protect you from ignorance.
Security software protects users from security breaches. It doesn't protect them from dumb.

What is going on in "computer security" now is a conflict where the bad guys use weapons and the good guys only use armor.

Just as with ordinary security - safes, locked doors, walls, armor, military "defense", etc. - attempts at IT infrastructure security only slow, not stop, the perpetrators. In ordinary security the "war" must be taken to the enemy - with self-defense deterrence and counterattacks, arrest/trial/incarceration, or retaliatory war. Why should information security be any different?

But as of now there is essentially no consequence - except occasional failure and the need to adjust tools to evade the latest security tweaks. The result has been an opportunity, and financial incentive, to develop a powerful security-breaking infrastructure and several very lucrative businesses based on it.

So things will keep getting worse until there is retaliation that creates enough consequences to knock the perpetrators down in number of perpetrators and longevity of activity.

Retaliation produces collateral damage, so this won't be pleasant. But systematically letting bad guys get away with their crimes creates a rising exponential of wrongdoing that eventually sucks the lifeblood out of the rest of the population. Eventually this will become so egregious that the rest of the population will be willing to accept the collateral damage if it knocks down the problem.

I've found in the commercial world that security in all of its flavors makes up no more than 10% of any outsourcing deal no matter how large or complex either the outsourcing deal is or the security requirements themselves. 8% is closer to the norm with some deals in the 3-4% range. That cost represents the total cost over the entire lifecycle including all labor and hardware. So I'm left wondering what people mean when they complain that so much money is being spent on security. If you're spending 1.6 mill

You guys are just about hitting the nail on the head. The problem is not so much in the complexity or quantity of security measures, but the policies and training presented to the users. I believe that over half of the users in my organization could not recognize a security threat and would most likely give their password out over the phone if the person calling them said they were in the IT department. Imagine if companies held a short class or training session about once a week to identify, react, and rep

Imagine if companies held a short class or training session about once a week to identify, react, and report threats. A little bit of training goes a long way. You don't need an expert to tell you that.

I used to do that for one company, even had a newsletter that had easy security tips, such as complex password phrases, how to determine if your email had a virus, so on. Almost always they were forgotten because the companies mentality, like most, is to get the job done at least cost. Add to that that most of the users we dealt with ended up feeling like they didn't need it because they never encountered a problem, it's downhill battle, ends up falling on the security person all ways. Thats just the har

as it leads to apps not working and it can slow work down so much that high up people tell the people under them to by pass it and do your job with out waiting for the over worked, under staffed and under payed IT guys to get around to it.

Information security is not dysfunctional. The author's logic is flawed. "Billions of dollars of information security products have been sold". "... everything points to more security breaches, vulnerabilities and incidents." [Therefore] "information security [is] so dysfunctional."
I think most working Security professionals would point to other "things" that lead to this state of bad security. Probably the two largest factors being: bad decisions by management and the lack of accountability (for both ma

The problem with IT security is that the solutions are that of being reactive to problems, and that we're asking for "secure" computing from nontrusted resources. There's never any proactive look at resources and doing proper planning for what sort of problems might develop (at least in my workplace). Project Managers and accountants never like to dole out money for dealing with exploits and issues that "might, in the future, become a hazard," and so the IT team is only rushing around putting out fires inst

There is no way you can rap up INFOSEC in a simple way. Each company practices it in a different way because each has it's own acceptance of liabilities due to applications that they use or equipment that they purchase. You make the best of INFOSEC with those in mind because no company will change their technology infrastructure just because it's not the most secure technology. If the company is an enterprise you can have thousands of different types of applications and equipment all working together for

Gimmie a break!"It is 2008 and never has so much been spent in information security. Year after year, more and more security hardware and software is purchased, more and more security professionals are hired, and more security is done; yet things are not getting better. Every indicator, every pundit, everything points to more security breaches, vulnerabilities and incidents. Large amounts of proprietary data are compromised on a daily basis. Obviously something is wrong, yet the entire industry goes along t

You can have the latest, most sophisticated (and probably expensive) security hardware and software imaginable, use military-grade encryption on every single file, and post armed guards at the entrance to your data center.But guess what? NONE of the above will make the slightest bit of difference as long as there are still people who write their passwords on sticky-notes without a second thought, and paste them to the front of their monitor, the inside of their desk drawer, or wherever.

Marcus Ranum's "The Six Dumbest Ideas in Computer Security" rant/essay neatly identified the top culprit a few years back. The mistakes he outlined continue to be made on a daily basis by nearly everyone working in the field -- and most of those people compound those errors by layering on more mistakes. (Example: "Well, yes, the firewall is default-permit outbound, but that's okay because we have an IDS.") This approach inevitably fails, yet those practicing it profess surprise every time it does -- especially if they happen to be standing in front of a press conference announcing the latest data loss incident.

We will not make any headway on this, as a profession, until we stop making rudimentary mistakes such as the ones Ranum has identified, along with a few others that are worthy additions to that list. No initiatives, no certifications, no appliances, nothing will change that -- because none of those change the attitudes of the people who are building systems and networks. Until those people manage to step back from irrelevant
details like "which iframe exploit is current today?" and look at larger questions like "why are iframe exploits even possible?" or "why are browser exploits even possible?", then they will continue to waste effort "solving" the wrong problems.

Sadly, after observing this situation close up for many, many years, I've concluded that some, possible many, people will never get that far. They simply Do Not Get It, and despite essays like Ranum's or books like this one or anything else, they're not going to get it. And they will continue to fail, and so the systems/networks they've built will continue to fail. I'd say that will make for a bleak future, but -- look around! -- we're living in a bleak present.

"We will not make any headway on this, as a profession, until we stop making rudimentary mistakes such as the ones Ranum has identified, along with a few others that are worthy additions to that list."This is one of those things that is only understood by following the money. There is no money to be found in cures, there is only money to be found in temporary fixes. One has an income stream, the other doesn't. This is a sad fact of life.

There will be a few companies who see the advantages in running a leane